10-08-2006 01:54 AM - edited 03-10-2019 02:46 PM
Dear Group,
I have Two ACS , the Primary ACS has the IP address 192.168.1.8 and the secondary ACS has the IP address 192.168.1.9
I tried to forward the authentication requests to the secondary ACS to make sure that we have no problem in case the primary fail but the secondary ACS did not respond to the requests sent from the AAA Client though I have no problem with the primary ACS.
The secondary ACS has the same configuration and feature set as the primary ACS, the primary ACS is configured to replicates its username, configuration, etc. every 60 minutes, the Secondary ACS is configured to receive those replication information.
Unfortunately the secondary ACS is not responding and is giving the following message:
No response from (192.168.1.9:1645,1646)
RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
I will appreciate if someone can help me with diagnosing what?s going on
Here is the complete debug while entering the username/password :
Username: testuser
*Mar 23 16:00:15.625: AAA/BIND(00000019): Bind i/f
*Mar 23 16:00:15.625: AAA/AUTHEN/LOGIN (00000019): Pick method list 'VTY'
*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): ask "Username: "
*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): send packet; GET_USER
Password:
*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): ask "Password: "
*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): send packet; GET_PASSWORD
*Mar 23 16:00:28.201: RADIUS: AAA Unsupported [150] 6
*Mar 23 16:00:28.201: RADIUS: 74 74 79 31 [tty1]
*Mar 23 16:00:28.201: RADIUS(00000019): Storing nasport 162 in rad_db
*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Mar 23 16:00:28.201: RADIUS(00000019): Config NAS IP: 192.168.1.12
*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): acct_session_id: 22
*Mar 23 16:00:28.201: RADIUS(00000019): sending
*Mar 23 16:00:28.201: RADIUS(00000019): Send Access-Request to 192.168.1.9:1645 id 21645/14, len 79
*Mar 23 16:00:28.201: RADIUS: authenticator 79 79 F3 E5 6F 89 69 EA - AA 87 44 E3 F7 93 47 6B
*Mar 23 16:00:28.201: RADIUS: User-Name [1] 9 "testuser"
*Mar 23 16:00:28.201: RADIUS: User-Password [2] 18 *
*Mar 23 16:00:28.201: RADIUS: NAS-Port [5] 6 162
*Mar 23 16:00:28.201: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 23 16:00:28.201: RADIUS: Calling-Station-Id [31] 14 "192.168.1.12"
*Mar 23 16:00:28.201: RADIUS: NAS-IP-Address [4] 6 192.168.1.12
*Mar 23 16:00:33.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14
*Mar 23 16:00:38.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14
*Mar 23 16:00:43.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14
*Mar 23 16:00:48.201: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/14
*Mar 23 16:00:48.201: RADIUS/DECODE: parse response no app start; FAIL
*Mar 23 16:00:48.201: RADIUS/DECODE: parse response; FAIL
% Authentication failed.
*Mar 23 16:01:47.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15
*Mar 23 16:01:52.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15
*Mar 23 16:01:57.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15
*Mar 23 16:02:02.929: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/15
*Mar 23 16:02:02.929: RADIUS/DECODE: parse response no app start; FAIL
*Mar 23 16:02:02.929: RADIUS/DECODE: parse response; FAIL
% Authentication failed.
Thanks for helping me in advance
10-08-2006 02:34 AM
Can you please post the configuration.!
10-08-2006 03:43 AM
aaa new-model
aaa authentication login VTY group radius local
aaa authentication login no_authentication non
aaa accounting exec default stop-only group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
ip radius source-interface Ethernet0/0
radius-server host 192.168.1.9 auth-port 1645 acct-port 1646 key lemon123
interface Ethernet0/0
ip address 192.168.1.12 255.255.255.0
line con 0
login authentication no_authentication
line aux 0
line vty 0 4
password cisco
login authentication VTY
transport input telnet
line vty 5 15
login authentication VTY
transport input telnet
10-09-2006 06:09 AM
If you look in the failed attempts report on the secondary ACS - does it say anything?
You need to know if the request is making to the secondary, if its getting there is it being ignored or is there a problem in processing it.
Failed attempts is the first place to look
Darran
10-10-2006 09:57 AM
Dear Daran,
Unfortunately there are no any logs in the Secondary ACS, the only logs I can see is the commands I entered it on the AAA client, there is no failed attempts records.
The Radius is dead, currently I bypassed this issue by installing a new ACS on a third server , the IT department is persistent to solve this issue from the root, they want me to analyze the problem and discover the reason behind this phenomenon.
I will dedicate a time next week to play very hard with this ACS to know what?s going on, meanwhile I will be glad if some one can tell me some methods to run a debug on the windows machine.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide